This disclosure relates to security provisioning.
The prevalence and accessibility of computer networks requires security measures to protect valuable information and to ensure that users of the computer networks are using network resources in accordance with one or more security and usage policies. An enterprise, for example, can implement such security measures by use of a layered security system. Such a layered security system can be implemented at the network edge of the enterprise, e.g., firewalls, gateway security agents, etc. Additionally, a layered security system can also include security processes and agents that are implemented throughout the enterprises, e.g., virus scanning software on each computer device within the enterprise, content filtering software, content monitoring software, etc.
Such layered security systems are prone to processing inefficiencies and can require many resources within the enterprise to maintain the systems. For example, many layered security systems do not implement a distribution infrastructure to communicate and share content intelligence. This results in repeated processing of both good and bad content. Many layered security systems also cannot readily maintain a central data store of threat data that classifies content items such as files, uniform resource locators (URLs), e-mails according to security classifications (e.g. virus, malware, spam mail, etc.).
Additionally, generating a consolidated security view of the enterprise is a difficult process, as this requires the collecting of data from different locations and user groups and arranging the data in a common time order before abstracting and generating reports. Due to disparity in the security products across locations, there is difficulty in capturing the information into a common format
Finally, many of the existing security solutions have limited real-time or data mining capabilities. In particular, many of the existing security solutions have limited capabilities for detecting potentially surreptitious activities of users. For example, an entity, such as an enterprise, may define a list of prohibited resource locations, e.g., a list of prohibited URLs. However, users can attempt to access the prohibited resource locations by use of anonymous proxy servers. Such proxy servers service the requests of their clients by forwarding requests to other servers, such as the servers that are prohibited by the enterprise. Thus, by using a proxy server, a user can access prohibited web sites.
Some security systems can access a list of know proxy servers, e.g., a list of IP addresses associated with proxy servers, or the URLs of the proxy servers, and block HTTP requests and responses from the proxy servers. However, there may be legitimate uses for the proxy servers, and thus this approach imposes an additional cost of eliminating the use of proxy servers. Furthermore, new proxy servers may appear or an address associated with an existing proxy server can change, and thus maintaining a list of all proxy servers for blocking capabilities is time consuming and expensive, and often not possible.
Adding to the complexity is the encoding of resource location data. Many common schemes are used to encode data, such as Base16, Base32 and Base64 data encodings, which are specified in RFC 4648. Such base encoding of data is used to store or transfer data in environments that, usually for legacy reasons, are restricted to US-ASCII data, or because the encoding makes it possible to manipulate particular objects with text editors. The encoding of resource data, however, can effectively disguise a prohibited resource location. For example, the URL “www.example.com” encoded in Base64 is “d3d3LmV4YW1wbGUuY29t”. Identifying and decoding all encoded data can be time consuming and resource prohibitive, and thus prohibited resource locations can be accessed by their encoded variant.